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PROCEDURE AND SYSTEM FOR THE PROCESSING OF MESSAGES IN 
A TEIjECOMMUKI CATION SYSTEM 

FIELD OF THE INVENTION 

5 The present invention relates to telecommuni- 

cation technology. In particular, the invention relates 
to a procedure and a system for the encryption and de- 
cryption of short messages and for sender authentica- 
tion in a telecommunication system. 

10 

BACKGROUND OF THE INVENTION 

In telecommunication networks, e.g. GSM net- 
worlcs (GSM, Global System for Mobile communications) , 
heavy encryption of speech transmission is used in the 

15 radio link between a mobile station and a base station. 
Besides voice communication, the use of text messages 
for communication via mobile stations has increased. 
With a rise in the service standard, services based on 
text communication have" become common. Text communica- 

20 tion can be utilised in various service functions, in 
paying for services etc. At present, an obstacle to 
easy encryption of messages is the fact that mobile 
stations consistent with current mobile communication 
standards do not permit changes facilitating encryp- 

25 tion. The only component that is sufficiently standard- 
ised and allows encryption is the siibscriber identity 
module (SIM) . 

Mobile telephones consistent with a current 
mobile communication standard, such as the GSM stan- 

30 dard, do not directly provide a possibility to use en- 
cryption in text communication by mobile stations. Text 
communication can be used to implement services requir- 
ing a high level of data security. However, services 
requiring a high level of data security cannot become 

3 5 common before sufficient encryption of messages is pos- 
sible . 
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Currently known closed user group solutions in 
mobile communication networks are implemented e.g. on 
the basis of mobile telephone numbers. In these appli- 
cations, the message is delivered separately to each 
person included in a distribution list irrespective of 
location. A drawback is that there are considerable 
differences in the message delivery time between the 
first and last persons on the distribution list. 

At present, a problem with message communica- 
tion in accordance with a mobile communication standard 
is that it is possible for a third party to read the 
content of a text message. A further problem is how to 
encrypt the messages relating to different services so 
that the receiver can ascertain the identity of the 
sender. Another problem is encountered in the sending 
of encrypted messages to a closed receiver group in a 
given area . 

The object of the present invention is to 
eliminate the above-mentioned drawbacks or at least to 
20 significantly alleviate them. 

A specific object of the present invention is 
to disclose a new type of procedure and system for en- 
crypting the outgoing message traffic between mobile 
stations consistent with a current mobile communication 
standard and/or between a mobile station and a service 
provider and for decrypting the incoming message traf- 
fic. In addition, the procedure and system, of the in- 
vention allow encrypted messages to be sent to and re- 
ceived from a closed receiver group in a given area. 

As for the features characteristic of the pre- 
sent invention, reference is made to the claims. 

BRIEF DESCRIPTION OF THE INVENTION 

In the procedure of the invention for encrypt - 
3 5 ing a message and/or authenticating the sender of a 
message in a telecommunication network in a telecommu- 
nication system, the transmission software comprises 
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the applications and parameters of the encryption algo- 
rithm used. The message is e.g. an SMS message (SMS, 
Short Message Service) consistent with a mobile commu- 
nication standard . 
5 In the procedure, using a mobile station, mes- 

sages are generated and sent and received via the mes- 
sage switching centre of the telecommunication system, 
the applications and parameters needed by the en- 
cryption and/or decryption algorithm used are stored on 

10 the subscriber identity module. In addition, the mes- 
sage encrypted and/or to be encrypted and/or the mes- 
sage decrypted and/or to be decrypted is/are stored on 
the subscriber identity module. As an encryption algo- 
rithm, it is possible to use e.g. an RSA algorithm or a 

15 corresponding algorithm providing a high level of data 
security, the function of which is obvious to the 
skilled person. The telecommunication system preferably 
comprises a telecommunication network, a mobile station 
connected to it and a subscriber identity module con- 

20 nected to the mobile station, a message switching cen- 
tre, transmission software connected to the message 
switching centre and a service provider connected to 
the transmission software. A preferred example of the 
mobile communication system is the GSM system. 

2 5 According to the invention, a given memory lo- 

cation in the subscriber identity module is monitored 
and encryption of a message and/or decryption of an en- 
crypted message are/is started on the basis of a prede- 
termined string stored in the given memory location. 
30 The memory location may be e.g. an ADN memory location 
(ADN, Abbreviated Dialling Number) . Encryption of mes- 
sages stored in the subscriber identity module is 
started if e.g. "Name: bank" and "No.: 1235". is stored 
in the ADN memory location. An encryption algorithm 

3 5 stored on the subscriber identity module performs the 

encrypting of the message or messages and returns de- 
crypted messages to the SMS memory locations after the 
mobile station has been restarted. The string used to 
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activate encryption/decryption can be removed from the 
subscriber identity module automatically. 

In this way, a kind of security feature is 
achieved. The string activating encryption/decryption 
will not be accidentally left in the ADN memory loca- 
tion. Messages stored and received on the subscriber 
identity module can also be automatically encrypted or 
decrypted. 

An encrypted message can also be transmitted 
only to a closed user group in a predetermined area. 
Decryption is only possible if the receiver has the en- 
cryption key required for the decryption of the mes- 
sage. As a transmission means, it is possible to use 
e.g. the cell broadcast (CB) feature comprised in the 
mobile communication standard. When a message is to be 
sent, an area to which the message is to be delivered 
is defined. Since the message is transmitted to the re- 
ceivers using areal mobile communication technology, 
all users will receive the message simultaneously. If a 
member of the closed receiver group is absent from the 
specified area, the information will not be transmitted 
to that user. The invention is applicable e.g. to the 
development of a regular customer concept in applica- 
tions where given information is only to be made avail - 
25 able to a desired group. 

According to the invention, the user of a mo- 
bile station can send a service request in the form of 
a message. The transmission software gets the required 
information from the service provider and calls an en- 
cryption and/or decryption routine, which encrypts 
and/or decrypts .the message received from the service 
provider and sends the- encrypted and/or decrypted mes-. 
sage to the message switching centre and further to the 
mobile station. 

The system of the invention comprises means 
for monitoring a given memory location in the sub- 
scriber identity module and means for starting encryp- 
tion of a message and/or decryption of an encrypted 
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message on the basis of a predetermined string stored 
in the given memory location in the subscriber identity 
module. 

The system preferably comprises means for 
5 automatically removing the string activating encryption 
and/or decryption from the subscriber identity module. 
Moreover, the system comprises means for transmitting 
the message only to a closed user group in a given 
area. The user group preferably has means for decrypt - 
10 ing the encrypted message. 

According to the invention, the transmission 
software comprises means for calling an encrypting 
and/or decrypting routine for the encryption and/or de- 
cryption of a message received from a service provider 
15 and means for sending an encrypted and/or decrypted 
message further to the message switching centre and 
from there further to a mobile station. 

The subscriber identity module preferably com- 
prises means for automatically encrypting and decrypt- 

2 0 ing messages stored on' the subscriber identity module 

and received messages. 

The invention also relates to a subscriber 
identity module. It comprises a data processing device, 
a storage device connected to the data processing de- 
25 vice and a data transfer device connected to the data 
processing device. Moreover, the subscriber identity 
module is provided with an interface for data transfer 
between the mobile station and the subscriber identity 
module. The subscriber identity module comprises means 

3 0 for monitoring a given memory location and means for 

activating the encryption of a message or decryption of 
an encrypted message on the basis of a predetermined 
string stored in the given memory location in the sub- 
scriber identity module. 
3 5 As compared with prior art, the invention has 

the advantage that it allows digital signature of mes- 
sages as well as encryption and decryption. Thus it 
makes it possible to reliably identify the sender of a 
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message. In addition, the invention makes it possible 
to reach a plurality of users in a predetermined area 
simultaneously and without loading the network. Thus, 
the members of the closed user group only receive rele- 
vant information relating to the time and area in ques- 
tion. A further advantage of the invention is that the 
messages sent between a service provider and a mobile 
station can be encrypted while at the same time ascer- 
taining the authenticity of the information. 

BRIEF DESCRIPTION OF THE DRAWINGS 

In the following, the invention will be de- 
scribed by way of example with reference to embodiments 
illustrated in the drawings, wherein 

Fig. 1 presents a preferred telecommunication 
system according to the invention. 

Fig. 2 presents a preferred subscriber iden- 
tity module according to the invention. 

Fig. 3 presents a preferred example of the 
subscriber identity module. 

Fig. 4 presents a preferred example of a flow 
chart representing areal message transmission. 

Fig. 5 presents a preferred example of message 
encryption, and 

Fig. 6 presents a block diagram illustrating a 
preferred example of message encryption between a cus- 
tomer and a content provider. 

DETAILED DESCRIPTION OF THE INVENTION 

The telecommunication system presented in Fig. 
1 comprises a telecommunication network l featuring a 
short message service (SMS) consistent with a mobile 
communication standard. Other types of message, such as 
USSD (USSD, Unstructured Service Data), can be used. 
Furthermore, instead of SMS messages, it is possible to 
utilise the WAP (WAP, Wireless Application Protocol). 
The telecommunication network is preferably a GSM net- 



wo 99/39524 



7 



PCT/FI99/00019 



work, but other mobile communication networks, such as 
UMTS (UMTS, Universal Mobile Telecommunication Stan- 
dard) networks, can also be used. Connected to the mo- 
bile communication network 1 is a mobile station 2 with 
5 a subscriber identity module SIM connected to it. Also 
connected to the mobile communication network 1 is a 
message switching centre 3, which may be e.g. a SM-SC 
(SM-SC, Short Message Service Centre) in a GSM system. 
The message switching centre 3 comprises means 9 for 

10 transmitting a message exclusively to a closed user 
group in a predetermined area. 

Connected to the message switching centre 3 is 
transmission software 4, which comprises means 11 for 
calling an encrypting and/or decrypting routine for the 

15 processing of a message received from a service pro- 
vider 5. Moreover, it comprises means 12 for sending an 
encrypted and/or decrypted message further to the 
switching centre 3 and from there to the mobile station 
2. Furthermore, the system comprises a service provider 

20 5. The service provider 5 may be e.g. a bank. 

A preferred subscriber identity module SIM as 
presented in Fig. 2 comprises a data processing device 
14, a storage device 15 connected to the data process- 
ing device 14 and a data transfer device 16, also con- 

25 nected to the data processing device 14. In addition, 
the subscriber identity module SIM is provided with, an 
interface RP for data transfer between the mobile sta- 
tion 2 and the subscriber identity module SIM. 

The subscriber identity module SIM preferably 

3 0 comprises means 6 for monitoring a given memory loca- 
tion in the subscriber identity module SIM and means 7 
for activating the encryption of a message and/or de- 
cryption of an encrypted message on the basis of a pre- 
determined string stored in the given memory location. 

3 5 In addition, the subscriber identity module comprises 
means 8 for automatically removing the string used to 
activate encryption/decryption from the subscriber 
identity module SIM. Moreover, it comprises means 13 
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for automatically encrypting and decrypting messages 
stored and received on the subscriber identity module 
SIM. 

The means 6 -16 presented in Fig. i and 2 are 
implemented in a manner known per se and they will 
therefore not be described in detail. 

Fig. 3 presents a preferred example of the 
subscriber identity module SIM according to the present 
invention. The subscriber identity module SIM is con- 
nected to a terminal, which in this example is a mobile 
station ME consistent with the GSM standard. An appli- 
cation in the DFX directory expects that a predeter- 
mined string code is stored in a given location in the 
EFadn file. When this occurs, the EF application pro- 
gram loads the short messages contained in the EFsms 
file in the DF directory and processes them in the de- 
sired manner. Finally, the program returns the proc- 
essed short messages into the EFsms file. The communi- 
cation between the mobile station ME and the subscriber 
20 identity module SIM is consistent with the GSM stan- 
dard. 

The system presented in Fig. 4 comprises a 
sender, a sending end application and a network appli- 
cation. In addition, the system comprises a receiving 
25 end application and a closed user group. 'Sender- here 
means a person and/or the apparatus and/or application 
which sends the messages according to the invention. 
The message may be e.g. an SMS or USSD message. The 
sending and receiving end application is a functional 
entity which contains both the physical apparatus and 
the associated application software. In this example, 
the physical apparatus comprises a mobile telephone, a 
subscriber identity module connected to it and a possi- 
ble parallel subscriber identity module, e.g. an intel- 
ligent card external to the GSM system. The application 
software is located either in the mobile telephone 
and/or in the subscriber identity module and/or in the 
parallel subscriber identity module or in a system com- 
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municating with these. The application software can be 
distributed between the various parts of the physical 
apparatus . 

*Areal receiver' means a person and/or appara- 
5 tus and/or application which receives areal messages 
according to the invention. To receive the messages, 
mobile users in the area need a sufficient hardware and 
software assembly. This assembly consists of a physical 
apparatus and the associated application software. The 

10 principle corresponds to that of the sending end appli- 
cation, but there may be differences in concrete assem- 
blies and functional properties. 

The network application is a functional entity 
which communicates with the sending end application. 

15 'Network application' may refer to service bases con- 
taining the physical apparatus and the software. The 
network application may consist of e.g. a short message 
service centre or a Cell Broadcast service centre 
and/or systems and interfaces etc. connected with 

20 these. The main functions of the network application 
include receiving the messages from the sending end ap- 
plication, routing them to the switching centres which 
manage areal messuage transmission and sending the mes- 
sages to the receivers in a given area. In an alterna- 

25 tive solution, the transmission of the messages can be 
implemented using other than wireless technology. The 
messages can be . transferred to the network application 
using e.g. data networks, such as TCP/IP (TCP, Trans- 
mission Control Protocol; IP, Internet Protocol) of 

30 X.25 . 

In the following, the numbering used in Fig. 4 
is referred to. - 7' 

41. The sender enters a message, • selects a 
closed user group as the receiver and indicates that he 

3 5 wants to send the message. 

42. The sending end application encrypts the 
message using its encryption key and sends the message 
to the network application. 
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43. The network application transmits the mes- 
sage to the closed user group. The network transmits 
the message transparently without regard to its content 
or the encryption used with it. 

44. The receiving end applications of the 
closed user group in the area decrypt the message. The 
receivers read the message in plain- language form. 

Fig. 5 illustrates the procedure used to en- 
crypt a message, e.g. an SMS message. In block 51, the 
user stores a short message or short messages on the 
subscriber identity module. In block 52, the user en- 
ters in the Name field of a memory location a predeter- 
mined string referring to encryption or decryption. In 
this example, the string is "bank". In the Number 
field, the user enters "12345". These strings function 
as the factor which starts encryption or decryption. 

In the next block 53, the system checks 
whether the strings stored in the memory location re- 
quire encryption or decryption of messages. If not, ac- 
tion is resumed from block 52. If the stored string 
functions as an activator of encryption or decryption, 
then the procedure goes on to block 54. In block 54, a 
check is made to determine whether there are any mes- 
sages to be encrypted or decrypted on the subscriber 
25 identity module. If not, then action is resumed from 
block 52. If there are- messages to be processed on the 
. subscriber identity module, then these are loaded ac- 
cording to block 55. In block 56, the stored message is 
processed in the desired manner and using the required 
30 algorithm. For encryption, e.g. an RSA algorithm or 
some other corresponding algorithm creating a high 
level of data security can be used. Finally, according 
to block 57, the encrypted or decrypted message is re- 
turned into an EFsms file as shown in Fig. i. 

Fig. 6 illustrates the progress of a message 
when a service request in the form of a message is sent 
from a mobile station to a service provider. A customer 
sends (61) a -request for the transmission of informa- 
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tion to the mobile station user. The SM-SC transmits 
(62) the request further to the transmission software. 
The transmission software converts the request into a 
form understandable to the service provider and trans - 
5 mits (63) it to the service provider. The service pro- 
vider sends (64) information it has produced back to 
the transmission software. The transmission software 
calls (65) the encryption routine, which encrypts the 
information by using an agreed private key associated 

10 with the service provider and transmits, the encrypted 
message to the SM-SC switching centre using a number 
associated with the private key as the sending tele- 
phone number. The encryption algorithm may be part of 
the transmission software or it may be located in a 

15 separate functional unit, e.g. a server. The SM-SC 
transmits (68) the message to the mobile user. The mes- 
sage is identified as proceeding from a telephone num- 
ber recognised as being reliable, messages received 
from this number being decrypted by using a public key 

20 associated with the telephone number in question. The 
mobile station displays the message in a way that per- 
mits the user to ascertain its authenticity, e.g. "Mes- 
, sage received from N. Read?". The above example can be 
applied to two-way communication instead of an one-way 

2 5 implementation as described. 

The invention is' n'bt restricted to the embodi- 
ments illustrated above by means of examples, but in- 
stead many variations are possible within the scope of 
the inventive idea defined in the claims. 



30 



wo 99/39524 



12 



PCT/FI99/000I9 



CLAIMS 



1. Procedure for the encryption of a message 
and/or authentication of the sender of a message in 

5 telecommunication network (1) in a telecommunication 
system which comprises the telecommunication network 
(1), a mobile station (2) connected to it and a sub- 
scriber identity module (SIM) connected to the mobile 
station (2) , a message switching centre (3) connected 
10 to the telecommunication network (I), transmission 
software (4) connected to the message switching centre 
and a service provider (5) connected to the transmis- 
sion software, the transmission software (4) comprising 
the applications and parameters of the encryption algo- 
15 rithm to be used; and in the procedure messages are 
generated and sent and received by means of the mobile 
station (2) via the message switching centre (3) of the 
telecommunication network (1), the applications and pa- 
rameters needed by the encryption and/or decryption al- 
gorithm to be used are stored on the subscriber iden- 
tity module (SIM) ; and in the procedure the message to 
be processed is stored on the subscriber identity mod- 
ule (SIM), characterised in that 

a given memory location in the subscriber identity 
module is monitored and encryption of a message and/or 
decryption of an encrypted message are/is started, , on 
the basis of a predetermined string stored in the given 
memory location in the subscriber identity module 
(SIM) . 

2. Procedure as defined in claim 1, char- 
acterised in that the string activating encryption 
and/or decryption is removed from the subscriber iden- 
tity module (SIM) automatically. 

3. Procedure as defined in claim 1 and 2, 
characterised in that a closed user group with i 
user group-specific decryption key is formed. 
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4. Procedure as defined in claims 1 - 3, 
characterised in that the message is only trans- 
mitted to a closed user group in a given area. 

5. Procedure as defined in claims 1 - 4, 
5 characterised in that the transmission software 

(4) calls an encryption and/or decryption routine, 
which encrypts and/or decrypts a message received from 
the service producer (5) and sends the encrypted and/or 
decrypted message to the message switching centre (3) 
10 and further to the mobile station (2) . 

6. Procedure as defined in claims 1 - 5, 
characterised in that the message is a short mes- 
sage (SMS, Short Message Service) consistent with a mo- 
bile communication standard. 

15 7. Procedure as defined in claims 1 - 6, 

characterised in that the memory location on the 
subscriber identity module (SIM) is an ADN memory loca- 
tion. 

8. Procedure as defined in claims 1 - 7, 
20 characterised in- that messages stored and re- 
ceived on the subscriber identity module (SIM) are en- 
crypted and decrypted automatically. 

9. Procedure as defined in claims 1 - 8, 
characterised in that the message is sent to a 

2 5 closed user group using CB (CB, Cell Broadcast) . 

10. System for the encryption of a message 
and/or authentication of the sender of a message in a 

. telecommunication network (1) in a telecommunication 
system which comprises the telecommunication network 
30 (1) , a mobile station (2) connected to it and a sub- 
scriber identity module (SIM) connected to the mobile 
station (2), a message switching centre (3) connected 
to . the telecommunication, network (1) , transmission 
software (4) connected to the message switching centre 

3 5 and a service provider (5) connected to the transmis- 

sion software, the transmission software (4) comprising 
the applications and parameters of the encryption algo- 
rithm to be used; and in the procedure messages are 



wo 99/39524 



14 



PCT/FI99/00019 



10 



generated and sent and received by means of the mobile 
station (2) via the message switching centre (3) of the 
telecommunication network (1), the applications and pa- 
rameters _ needed for the encryption and/or decryption 
algorithm to be used are stored on the subscriber iden- 
tity module (SIM) ; and in the procedure the message to 
be processed is stored on the subscriber identity mod- 
ule (SIM), characterised in that the system com- 
prises 

means for monitoring a given memory location in the 
siobscriber identity module (SIM) ; and 

means (7) for starting the encryption of a message 
and/or decryption of an encrypted message on the basis 
of a predetermined string stored in the given memory 
15 location in the subscriber identity module (SIM) . 

11. System as defined in claim 10, charac- 
terised in that the system comprises means (8) for 
automatically removing the string activating encryption 
and/or decryption of a message from the subscriber 

20 identity module (SIM) 

12. System as defined in claim 10 and ii/ 
characterised in that the system comprises meani 
(9) for transmitting a message exclusively to a closed 
user group in a predetermined area . 

. System as defined in claims 10-12, 

characterised in that the system comprises user 
group-specific means (10) for decrypting an encrypted 
message . 

14. System as defined in claims 10 - 13 
30 characterised in that the transmission software 

(4) comprises means (11) for calling an encrypting 
and/or decrypting routine for the encryption and/or de- 
cryption of a message received from a service provider 

(5) and means (12) for sending an encrypted and/or de- 
35 crypted message further to the message switching centre 

(3) and from there to the mobile station (2) . 

15. System as defined in claims 10 - 14 
characterised in that the system comprises means 
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(13) for automatic encryption and decryption of mes- 
sages stored on the subscriber identity module (SIM) 
and messages received. 

16. System as defined in claims 10 - 15, 
5 characterised in that the encryption algorithm is 

an RSA algorithm or some other acceptable encryption 
algorithm providing a high level of data security. 

17. Subscriber identity module (SIM), compris- 
ing a data processing device (14), a storage device 

10 (15) connected to the data processing device (14) and a 
data transfer device (16) which is connected to the 
data processing device (14) and provided with an inter- 
face (RP) for the transfer of information between the 
mobile station (2) and the subscriber identity module 

15 (SIM), characterised in that the subscriber 
identity module (SIM) comprises 

means (6) for monitoring a given memory location in 
the subscriber identity module (SIM) ; and 

means (7) for starting the encryption of a message 

2 0 and/or decryption of an encrypted message on the basis 

of a predetermined . string stored in the given memory 
location in the subscriber identity module (SIM) . 

18. Subscriber identity module (SIM) as de- 
fined in claim 17, characterised in that the 

25 subscriber identity module (SIM) comprises means (8) 
for automatically removing the string activating mes- 
sage encryption and/or decryption from the subscriber 
identity module (SIM) . 

19. Subscriber identity module (SIM) as de- 

3 0 fined in claims 17 and 18, characterised in that 

the subscriber identity module (SIM) comprises means 
. (13)-. for. automatic encryption and: decryption of mes- 
sages stored, on the ..subscriber^, identity module (SIM) 
and messages received. 
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